b'                                               Report No. AUD-09-020                                                    August 2009\n\n                                               Audit of Information Technology Controls in\n                                               Support of the FDIC Funds\xe2\x80\x99 2008 and 2007\n   Federal Deposit Insurance Corporation       Financial Statements Audit\nWhy We Did The Audit                           Audit Results\nThe FDIC Office of Inspector General           KPMG found that the FDIC had taken action to mitigate 14 of the 15 previously\n(OIG) contracted with KPMG LLP                 reported IT security control deficiencies pertaining to the FDIC\xe2\x80\x99s financial systems\n(KPMG) to conduct an audit of the\n                                               and information. Such actions included updating the FDIC\xe2\x80\x99s risk assessment for the\nFDIC\xe2\x80\x99s Information Technology (IT)\ncontrols over key financial systems and        NFE, segregating incompatible system-related duties for key individuals supporting\ndata that support financial management         the NFE, and performing software configuration audits of the NFE. With respect to\nand the generation of financial statements     the remaining control deficiency concerning maintenance of requirements baselines,\nfor the Deposit Insurance Fund (DIF) and       the FDIC had not yet fully implemented corrective actions by the close of KPMG\xe2\x80\x99s\nthe Federal Savings and Loan Insurance         field work. Accordingly, the OIG plans to assess the sufficiency of the FDIC\xe2\x80\x99s\nCorporation Resolution Fund (FRF)              actions to address this control deficiency in future audit work.\n(hereafter, the Funds). The results of this\naudit support the Government                   KPMG also found that, with respect to the control areas assessed, the FDIC had\nAccountability Office (GAO) in assessing       established and implemented a number of effective controls that were designed to\nthe effectiveness of the FDIC\xe2\x80\x99s internal       protect the confidentiality, integrity, and availability of financial systems and\ncontrol over financial reporting for the       information. Of particular note, the FDIC had implemented a major restructuring of\nFunds\xe2\x80\x99 2008 and 2007 financial                 the NFE\xe2\x80\x99s security controls in July 2008 that included, among other things, limiting\nstatements audit.                              user access to system functionality and data consistent with business needs and\nThe objective of the audit was to assess       improving security monitoring controls.\n(1) the progress the FDIC has made in          The above actions were positive. However, KPMG identified two security control\nmitigating previously reported IT security\n                                               deficiencies, neither of which the GAO considered to be significant deficiencies in the\ncontrol deficiencies pertaining to\nfinancial systems and information and          context of the Funds\xe2\x80\x99 2008 and 2007 financial statements audit. Specifically, KPMG\n(2) the effectiveness of the FDIC\xe2\x80\x99s            found that sensitive financial information, including personally identifiable\ncontrols in protecting the confidentiality,    information (PII), and program files were not adequately protected from unauthorized\nintegrity, and availability of its financial   disclosure or modification. This deficiency increased the risk of an unauthorized\nsystems and information. The scope of          disclosure or compromise of PII, which could have led to identity theft or other\nKPMG\xe2\x80\x99s work was limited to assessing           consumer fraud. The deficiency also increased the risk that a knowledgeable internal\n(1) the FDIC\xe2\x80\x99s remedial actions                user could have accessed or modified financial program files for unauthorized\npertaining to 15 IT security control           purposes. KPMG immediately notified the FDIC of this control deficiency and\ndeficiencies reported by the GAO during        subsequently confirmed that action had been taken to protect the sensitive information\nthe prior-year financial statements audit\n                                               and files.\nof the Funds and (2) selected access and\nseparation of duties controls within the       KPMG also found that the FDIC had not followed its software configuration\nAccounts Payable and General Ledger            management processes when installing software updates to a key NFE-interfacing\nmodules of the PeopleSoft Enterprise           application. Specifically, the FDIC installed copies of software updates that had not\nFinancials Management application              been subject to proper quality assurance testing and analysis. No system problems\n(PeopleSoft financials).\n                                               appear to have occurred as a result of this control deficiency. In addition, FDIC\nBackground                                     officials described various compensating controls that would help to reduce the risk\n                                               associated with this deficiency. However, the deviations from the FDIC\xe2\x80\x99s\nThe FDIC relies extensively on                 configuration management processes presented a risk that errors or unauthorized\nautomated information systems to support       software modifications could have been introduced into the NFE production\nthe preparation of financial statements for\nthe Funds. The FDIC\xe2\x80\x99s principal\n                                               computing environment.\nfinancial system is the New Financial          Recommendations and Management Response\nEnvironment (NFE), which includes the\nPeopleSoft financials.                         KPMG made three recommendations to strengthen IT controls by reducing the risk of\nKPMG used the GAO\xe2\x80\x99s January 1999               unauthorized modification or disclosure of sensitive financial information and\nFederal Information System Controls            program files and ensuring that software installed in the production computing\nAudit Manual methodology to conduct            environment is subject to proper quality assurance testing and analysis. The FDIC\nthe audit. KPMG also used security             concurred with the recommendations, and its actions and planned actions are\nstandards and guidelines issued by the         responsive.\nNational Institute of Standards and\nTechnology as its principal criteria.          This report addresses issues associated with information security. Accordingly, we\n                                               do not intend to make public release of the specific contents of the report.\n\x0c'